infrastructure:services:keycloak
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
infrastructure:services:keycloak [2024-03-08 00:32 UTC] – only mention matrix channel and also describe offline flow for account creation june | infrastructure:services:keycloak [2024-04-24 20:46 UTC] (current) – Document the desired permission & configuration structure. Also mark it as such and further mark the Attributes section as ToDo and the RBAC section as NEEDS REVISION. june | ||
---|---|---|---|
Line 76: | Line 76: | ||
Außerdem ist wichtig, dass Keycloak allen Usern die " | Außerdem ist wichtig, dass Keycloak allen Usern die " | ||
+ | |||
+ | ==== Permission & Configuration Structure ==== | ||
+ | |||
+ | THIS IS THE DESIRED STATE AND NOT HOW IT WORKS IN PRACTICE YET. | ||
+ | |||
+ | This section tries to give insight into how the groups, roles, client roles and attributes work to form a permission and configuration structure for our realm and its clients. | ||
+ | |||
+ | === Groups === | ||
+ | |||
+ | Groups act like profiles, which one can apply to users. | ||
+ | |||
+ | Example: | ||
+ | * The '' | ||
+ | * The '' | ||
+ | * Same thing for groups like '' | ||
+ | |||
+ | Important to note here is that the groups themselves aren't used directly for access to clients/to grant permissions in any client. The group just holds the relevant client roles and attributes for granting access to clients/to grant permissions in any clients. \\ | ||
+ | This way of having the groups act like general profiles, but having the actual configuration of permissions achieved using client roles, decouples them both nicely. \\ | ||
+ | This then allows for special use cases like the wiki user for example, which isn't in any group, but still has access to certain clients and resources through manual assignment of client roles. | ||
+ | |||
+ | === Roles === | ||
+ | |||
+ | We don't make use of roles, since they are mostly the same as groups it seems. Further configuration beyond groups is achieved using client roles and attributes. | ||
+ | |||
+ | === Client Roles === | ||
+ | |||
+ | Client roles are used to configure client-specific user permissions. | ||
+ | |||
+ | Example: There exists a '' | ||
+ | |||
+ | === Attributes === | ||
+ | |||
+ | ToDo | ||
==== RBAC ==== | ==== RBAC ==== | ||
+ | |||
+ | NEEDS REVISION | ||
Für alle nicht-Keycloak-internen Clients haben wir nun auch Role Based Access Control. | Für alle nicht-Keycloak-internen Clients haben wir nun auch Role Based Access Control. |
infrastructure/services/keycloak.txt · Last modified: 2024-04-24 20:46 UTC by june